Certificate Revocation
Certificate revocation invalidates X.509 certificates before their set expiration,
often due to a compromised key.
Next-Generation Firewalls (NGFWs) and Panorama use digital certificates to establish
trust between parties during a secure communication session. A digital certificate
verifies the identity of the entity to which it was issued. When issued, X.509
certificates are assigned a validity period—a specific start date and inclusive
expiration date. Certificates are considered valid and can secure communications during
this period. However, a certificate can become invalid before its expiration date for
several reasons:
- Compromised private key (known or suspected)
- Change in certificate information (for example, a company name change or a domain
name change)
- Discontinued operation of the service belonging to the certificate (for example,
because there is a new service under a different name)
- Change of association between subject and certificate authority (for example, an
employee terminates employment)
Under these circumstances, the certificate authority (CA) that issued the certificate
must revoke it.
Certificate revocation is the process of invalidating a
certificate before it expires. A revoked certificate is no longer trustworthy and can’t
be used to establish secure connections.
When a certificate is part of a chain, an NGFW or Panorama checks the validity of every
certificate in that chain, except for the root CA certificate. This process, known as
certificate revocation checking, prevents potential security breaches and
protects users from untrustworthy websites or services. Some web browsers also perform
this check and, if a website's certificate is revoked, might display a warning or refuse
the connection.
By default, certificate revocation checking is disabled. As a security best practice,
enable this feature to verify the certificates used for
device or user authentication and
SSL/TLS decryption. NGFWs and Panorama support
two methods for verifying certificate revocation status:
Certificate
Revocation List (CRL)—A CRL is a list of certificates, identified by
serial number, that have been issued and subsequently revoked by a CA. CAs
typically publish CRLs periodically.
Online
Certificate Status Protocol (OCSP)—OCSP is an Internet Protocol that
enables clients, like a firewall or web browser, to obtain the revocation status
of an X.509 certificate in real time. The protocol governs the communication
between an OCSP client, which requests the revocation status, and an OCSP
responder, which provides it.
If your enterprise has its own public key infrastructure
(PKI), you can configure an NGFW to function as the OCSP responder.
If you configure both methods, the NGFW or Panorama first tries the OCSP method. The
appliance uses the CRL method only if the OCSP server is unavailable.
